Agencies have invested considerable resources on security at the systems level in response to escalating cyber threats.

An upcoming publication from the National Institute of Standards and Technology will recommend changing that by shifting to a three-tiered risk management strategy, according to Ron Ross, a senior computer scientist at NIST.

The document, 800-39, will integrate security and risk management from the strategic level at the top of the organization down all the way to the lowest level systems. It is currently in draft form and Ross expects it to be released in about two months.

Advertisement

According to Ross, most NIST publications have focused on security at the systems level but 800-39 will be, “the first serious discussion about what it means to have the three tiers: the governance layer where you talk about culture and about trust models and the risk management paradigm being implemented across the organization. And then tier two being an aggressive use of enterprise architecture and building security at that level.”

Ross says that while agencies will continue to battle “endless vulnerabilities at the back end,” effective use of enterprise architecture will help secure most system weaknesses and give agencies, “a hope of reducing some of those at the back end.”

Aggressive use of enterprise architecture will focus on integrating security and privacy requirements into the architecture process. Ross says, “the approach is aggressive in the sense of making sure we get the right requirements early in the process instead of waiting until the system is already deployed and then we have to retro fit things. It never works as well, it’s more costly and we don’t get as much effectiveness out of it.”

There are several multi-agency studies of the role of enterprise architecture in security. Ross says the Federal Enterprise Architecture Process is good but needs to be used more aggressively and hopes some of the NIST recommendations will be added to it.

“We tried to craft a document that would be understandable to both security folks and enterprise architects and the privacy community. So when you start to develop a new information system coming out of your enterprise architecture these things will already be built into the process. You can’t go forward and procure a new system unless those security and privacy requirements have already been defined and are part of the overall package going forward.”

Ross also says the idea of agile defense will be described in 800-39, as well as in addendums to the ongoing document 800-37.

Agile defense assesses each threat’s taxonomy; its capabilities, intentions, resources and targeting aspects, and creates a cyber security capability equivalent for each threat.

According to Ross, the new NIST documents do not specifically address upgrades in continuous monitoring because it has always been a part of the risk management framework; however, he expects continuous monitoring to move toward automation.

“It’s not a replacement for anything,” he says. “It’s actually driving us forward to get better information in a more timely fashion.”